Yesterday I mentioned that I'd found both convenience and (increased) security in the LastPass system for handling online passwords.

Late yesterday, LastPass announced that its engineers had detected a "network traffic anomaly" for which they could not immediately identify the "root cause." Then they found another small anomaly. As explained now on its blog:

"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

"If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

"To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP."

I am headed to an airport again and don't have time to explain "salted password hashes" etc just now. The take-home messages of the LastPass announcement are: a) All LastPass users will have to change their "master password," which is not that onerous -- and LastPass will check to be sure that the change is coming from a recognized address or user;

b) People who choose "dictionary words" for their passwords -- ie, normal words that a hacker could just try at random, in a "brute force" attack, to see if one is accepted -- are at greater risk than those who mix the passwords up. The mixing up can include numbers, special characters, multi-word phrases, etc -- password construction is a topic for another time, but mainly this is a reminder not to have things like "password" or "123456" as your special phrase.

c) At first glance, the company seems to be erring on the side of being quick; transparent (in explaining just what happened, and the risks); and protective of their users (better safe than sorry, so everyone must change their passwords now) in its response. Speed, transparency, and a tragic imagination about what might go wrong are very important elements of survival in the cloud era. Based on what I know now, and how the company has responded, I feel good about still using them as a password protector. We'll see what comes next. _____UPDATE: from an airport, the comments on the LastPass site suggest a real range of experiences. Some users are reporting the problem mentioned in the email below: that after a user changes the master password, as now required by LastPass, all the other stored passwords are rendered into gibberish. Which is a whole new nightmare. Other users indicate no problems. The note quoted below suggests making a local copy of all the stored passwords before doing anything with the LP account. I can't vet or fully check this out at the moment, but in the spirit of real-time update, this is an important cautionary note. A reader writes:

>>WARNING:

1.They have a blog post about a possible hack and advice they intend to give to warn people to change their master password

2.I
changed mine ahead of getting a note from them, though I may not have
needed to (I use a Yubikey for 2 factor authentication). A harmless
precaution I thought.

3.As soon as I did so all of my records (hundreds) became complete gibberish

4.I cannot even log into the support forum as I could - I'll have to create a new account

5.But... others are posting the same problem

Looks like a disaster, and a great pity as this was working so well, so being deprived of it is a huge inconvenience.

I
think the operative advice is to download all one's passwords before
changing the master password. I don't keep my banking or other critical
passwords online (I use and recommend KeepassX) and there's now a way of
loading Lastpass passwords into this for safekeeping, which I haven't
got around to yet.

I
do have a backup stored in my own creation: a TiddlyFolio (a Tiddlwiki
than can encrypt key data and which lives on a USB stick on my key
ring): http://tiddlyfolio.tiddlyspot.com, but it's not as up to date as I'd like.<<

Some of the most recent comments on the blog itself have similar protective advice. We're all in the middle of figuring out the proper long-term cloud security protocols.

UPDATE^2: And a technically sophisticated user makes a case in support of LastPass's handling of the case and its long-term security.

About the Author

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. He and his wife, Deborah Fallows, are the authors of the forthcoming book Our Towns.

Most Popular

In the landscape where Mad Max: Fury Road was filmed, a scientist is trying to understand a natural phenomenon that has eluded explanation for decades.

One evening earlier this spring, German naturalist Norbert Jürgens strayed from his expedition in the Namib Desert. He walked away from his campsite beside Leopard Rock, a huge pile of schist slabs stacked like left-over roofing tiles, and into a vast plain ringed with red-burnished hills. He had 20 minutes of light left before sunset, and he intended to use them.

This next part may sound like a reenactment from a nature documentary, but trust me: This is how it went down.

Off by himself, Jürgens dropped down to his knees. He sank his well-tanned arms in the sand up to the elbows. As he rooted around, he told me later, he had a revelation.

At the time, I was watching from the top of Leopard Rock, which offered a bird’s-eye view of both Jürgens and his expedition’s quarry. Across the plain, seemingly stamped into its dry, stubbly grass, were circles of bare ground, each about the size of an aboveground pool. Jürgens, a professor at the University of Hamburg, was digging—and pondering—in one of these bare patches.

The class divide is already toxic, and is fast becoming unbridgeable. You’re probably part of the problem.

1. The Aristocracy Is Dead …

For about a week every year in my childhood, I was a member of one of America’s fading aristocracies. Sometimes around Christmas, more often on the Fourth of July, my family would take up residence at one of my grandparents’ country clubs in Chicago, Palm Beach, or Asheville, North Carolina. The breakfast buffets were magnificent, and Grandfather was a jovial host, always ready with a familiar story, rarely missing an opportunity for gentle instruction on proper club etiquette. At the age of 11 or 12, I gathered from him, between his puffs of cigar smoke, that we owed our weeks of plenty to Great-Grandfather, Colonel Robert W. Stewart, a Rough Rider with Teddy Roosevelt who made his fortune as the chairman of Standard Oil of Indiana in the 1920s. I was also given to understand that, for reasons traceable to some ancient and incomprehensible dispute, the Rockefellers were the mortal enemies of our clan.

The text reflected not only the president’s signature syntax, but also the clash between his desire for credit and his intuition to walk away.

Donald Trump’s approach to North Korea has always been an intensely personal one—the president contended that his sheer force of will and negotiating prowess would win the day, and rather than use intermediaries, he planned for a face-to-face meeting, with himself and Kim Jong Un on either side of a table.

So Trump’s notice on Thursday that he was canceling the June 12 summit in Singapore was fitting. It arrived in the form of a letter that appears to have been written by the president himself. The missive features a Trumpian mix of non sequiturs, braggadocio, insults, flattery, and half-truths. Whether the dramatic letter marks the end of the current process or is simply a negotiating feint, it matches the soap-operatic series of events that proceeded it. Either way, it displays the ongoing conflict between Trump’s desire for pageantry and credit and his longstanding dictum that one must be willing to walk away from the negotiating table.

The 9-year-old has built a huge following with profane Instagram posts, but the bravado of “the youngest flexer of the century” masks a sadder tale about fame and exploitation.

In mid-February, a mysterious 9-year-old by the name of Lil Tay began blowing up on Instagram.

“This is a message to all y’all broke-ass haters, y’all ain't doing it like Lil Tay,” she shouts as she hops into a red Mercedes, hands full of wads of cash. “This is why all y’all fucking haters hate me, bitch. This shit cost me $200,000. I’m only 9 years old. I don’t got no license, but I still drive this sports car, bitch. Your favorite rapper ain’t even doing it like Lil Tay.”

Referring to herself as “the youngest flexer of the century,” Lil Tay quickly garnered a fan base of millions, including big name YouTubers who saw an opportunity to capitalize on her wild persona. In late January, RiceGum, an extremely influential YouTube personality dedicated an entire roast video to Lil Tay.

A short—and by no means exhaustive—list of the open questions swirling around the president, his campaign, his company, and his family.

President Trump speculated on Tuesday that “if” the FBI placed a spy inside his campaign, that would be one of the greatest scandals in U.S. history. On Wednesday morning on Twitter, the “if” dropped away—and Trump asserted yesterday’s wild surmise as today’s fact. By afternoon, a vast claque of pro-Trump talkers repeated the president’s fantasies and falsehoods in their continuing project to represent Donald Trump as an innocent victim of a malicious conspiracy by the CIA, FBI, and Department of Justice.

The president’s claims are false, but they are not fantasies. They are strategies to fortify the minds of the president’s supporters against the ever-mounting evidence against the president. As Laurence Tribe and Joshua Matz show in their new book about impeachment, an agitated and committed minority can suffice to protect a president from facing justice for even the most strongly proven criminality.

As recently as the 1950s, possessing only middling intelligence was not likely to severely limit your life’s trajectory. IQ wasn’t a big factor in whom you married, where you lived, or what others thought of you. The qualifications for a good job, whether on an assembly line or behind a desk, mostly revolved around integrity, work ethic, and a knack for getting along—bosses didn’t routinely expect college degrees, much less ask to see SAT scores. As one account of the era put it, hiring decisions were “based on a candidate having a critical skill or two and on soft factors such as eagerness, appearance, family background, and physical characteristics.”

The 2010s, in contrast, are a terrible time to not be brainy. Those who consider themselves bright openly mock others for being less so. Even in this age of rampant concern over microaggressions and victimization, we maintain open season on the nonsmart. People who’d swerve off a cliff rather than use a pejorative for race, religion, physical appearance, or disability are all too happy to drop the s‑bomb: Indeed, degrading others for being “stupid” has become nearly automatic in all forms of disagreement.

The bombastic legal adviser to Stormy Daniels is taking cues from the era of O.J. Simpson and Monica Lewinsky.

On cable news these days, there are very few people who have approached President Trump’s ubiquity. In fact, there is only one, and his name is Michael Avenatti. (Stormy who?)

Avenatti is not the first attorney to understand how the publicity game is played. Litigators are often like this: brash, aggressive, and sophisticated media manipulators. But Avenatti is the first celebrity lawyer of the Trump age, and it’s for that reason that he has become ultra-famous: Everything to do with Trump becomes, for good or ill, a star. And so it is with Avenatti, who in the public imagination has become not just “Stormy Daniels’s lawyer Michael Avenatti,” but simply “Michael Avenatti,” and appears to live inside your TV set.

The president sent a terse note to North Korea’s leader, citing “the tremendous anger and open hostility displayed in your most recent statement.”

It was going to be the first meeting between an American president and a North Korean leader in history—an audacious effort to resolve the crisis over North Korea’s development of nuclear weapons. But on Thursday—after days of bitter back-and-forth between the United States and North Korea over how to approach denuclearization, with a North Korean official threatening a “nuclear-to-nuclear showdown” with the U.S. even as the North Korean government destroyed a nuclear test site as a show of good faith—the White House abruptly announced that the June 12 summit in Singapore would not take place.

The news came in a letter from Donald Trump to Kim Jong Un, the full text of which is here:

Dear Mr. Chairman:

We greatly appreciate your time, patience, and effort with respect to our recent negotiations and discussions relative to a summit long sought by both parties, which was scheduled to take place on June 12 in Singapore. We were informed that the meeting was requested by North Korea, but that to us is totally irrelevant. I was very much looking forward to being there with you. Sadly, based on the tremendous anger and open hostility displayed in your most recent statement, I feel it is inappropriate, at this time, to have this long-planned meeting. Therefore, please let this letter serve to represent that the Singapore summit, for the good of both parties, but to the detriment of the world, will not take place. You talk about your nuclear capabilities, but ours are so massive and powerful that I pray to God they will never have to be used.

I felt a wonderful dialogue was building up between you and me, and ultimately, it is only that dialogue that matters. Some day, I look very much forward to meeting you. In the meantime, I want to thank you for the release of the hostages who are now home with their families. That was a beautiful gesture and was very much appreciated.

If you change your mind having to do with this most important summit, please do not hesitate to call me or write. The world, and North Korea in particular, has lost a great opportunity for lasting peace and great prosperity and wealth. This missed opportunity is a truly sad moment in history.

The billionaire’s Twitter tirade was so ill-informed it led to a subtweet from his former head of communications.

Elon Musk’s screed against the media began with a story about Tesla.

“The holier-than-thou hypocrisy of big media companies who lay claim to the truth, but publish only enough to sugarcoat the lie, is why the public no longer respects them,” the entrepreneur tweeted Wednesday, with a link to a post on the website Electrek. The author of that post criticized news coverage of recent Tesla crashes and delays in the production of the Model 3, calling it “obsessive” and saying there’s been a “general increase of misleading clickbait.”

Musk followed that tweet with an hours-long tirade in which he suggested that journalists write negative stories about Tesla to get “max clicks” and “earn advertising dollars or get fired,” blamed the press for the election of President Donald Trump, and polled users on whether he should create a website that rates “the core truth” of articles and tracks “the credibility score” of journalists, which he would consider naming Pravda, like the Soviet state-run, propaganda-ridden news agency.

Forest fires killed off tree-dwelling species and left the ground-dwelling ones to restart the avian dynasty.

Around 66 million years ago, at the end of the Cretaceous period, an asteroid the size of Mount Everest smote the Earth. It landed in Mexico’s Yucatan peninsula, punching a 20-mile deep crater into the ground. That impact, and the climatic upheaval that happened afterwards, ended the long reign of the dinosaurs. Of this dynasty of ruling reptiles, only the birds—a specialized group of feathered dinosaurs—survived.

But the birds didn’t escape unscathed.

Birds first appeared around 150 million years ago, during the late Jurassic period. They evolved from small predatory dinosaurs that were similar to Velociraptor. By the end of the Cretaceous, they were flourishing. But the same catastrophe that finished off their dinosaur cousins also killed most of them off. Even incredibly diverse and widespread groups, like the enantiornithines (eh-NAN-tee-OR-nih-theens), died out. The surviving birds were forced to re-evolve much of the diversity that once existed, and most groups of modern birds arose from those survivors, in the aftermath of the asteroid strike.